Infoblox Threat Intel

Horrid Hawk

Horrid Hawk is a financially motivated threat actor that uses hijacked domains to prey on consumers though investment scams.

Since at least February 2023, the threat actor has embedded thousands of hijacked domains in short-lived Facebook ads that span multiple continents and target victims in more than 30 languages, including English, Italian, Polish, Turkish and Spanish.

The actor uses the Sitting Ducks attack vector to hijack domains for investment scams. The domains typically have positive reputations that Horrid Hawk uses to shield their fraudulent investment sites from security researchers and other unwanted web visitors.

Infoblox has identified close to 5,000 hijacked domains linked to this actor as of October 2024.

Operating since: At least February 2023
Infoblox discovered: June 2024
Infoblox published: November 2024
Prevalence: Uncommon

Read Infoblox’s Threat Intelligence Research Report to learn how and why Hawks and Vipers execute new Sitting Ducks attacks.

Threat actor resources

Blog

Infoblox Threat Intel
November 14, 2024

DNS Predators Hijack Domains to Supply their Attack Infrastructure

Learn how DNS threat actors hijack domains and use them in their malicious campaigns.

Research Report

Infoblox Threat Intel
November 14, 2024

DNS Predators Attack: Vipers and Hawks Hijack Sitting Ducks Domains

It all began with a lookalike domain. The domain was crafted to look like a Slack hosting resource, but it was hosted in Russia. Simple phishing?

Infoblox Threat Intel

Horrid Hawk

Threat actor resources

Blog

DNS Predators Hijack Domains to Supply their Attack Infrastructure

Research Report

DNS Predators Attack: Vipers and Hawks Hijack Sitting Ducks Domains

Products

Solutions

Company

Resources

Get Infoblox Email Updates